Отправляет email-рассылки с помощью сервиса Sendsay
  Все выпуски  

Will passwords become a thing of the past?


Антивирусный "хостинг"

Клуб пользователей антивирусных услуг (Saas, Cloud)

добавить на Яндекс
Антивирусы и безопасность (SaaS, Cloud ...)
av-host.net

Will passwords become a thing of the past?
2014-05-22 13:37

KMM поделился ссылкой

Will passwords become a thing of the past?

140522_passwordsData breaches happen. A lot.

Last month alone has seen incidents affecting targets as large as the US Veterans of Foreign Wars, LaCie Hardware, and most recently 30,000 students and alumni from Iowa State University, in an interesting attack that gleaned SSNs and also hijacked the school’s servers to mine for Bitcoins.

Then there was Heartbleed, the ultra-critical-Internet-apocalypse-approaching vulnerability that potentially exposed millions of user credentials from 2/3 of all websites presently in existence and that may have been doing so for up to two years.

We’ve written on the importance of using strong passwords, but even the strongest ones are useless if they are breached in plain text. So the question remains: Will the constant onslaught of data breaches mean that passwords and other server stored credentials lose their value and become obsolete tokens of the past?

Future Password Alternatives

Strong passwords still matter. 53q)y&67cs#Me09x_oti is still much more resilient to a dictionary attack than 123456. This is largely irrelevant, however, if an attacker can simply peek into the space where 53q)y&67cs#Me09x_oti is stored in plain text and see it conveniently paired with its username and potentially other valuable credentials, such as a credit card number or an SSN. Competent service providers do put security measures in place, but none are 100% impenetrable from efforts that come from what can be highly organized and advanced groups of attackers looking to cash in big.  As Heartbleed has shown us, complex computer security systems are always vulnerable to human oversight. In response, some developers propose solutions that sidestep password credentialing entirely.

Face recognition

NEC Corporation of Japan recently announced the launch of a biometric security program called the NeoFace Monitor, which uses face recognition technology to lock and protect PCs. Reports have indicated that the technology has error rates as low as 0.3% and it has already been recognized by NIST. NeoFace uses image-processing algorithms to recognize facial features when users look into their PC’s webcam. If NeoFace finds a match, the PC is unlocked, just as is currently done with your typical password. NeoFace currently runs on Windows 7 and 8, but NEC has indicated plans to expand to the Android OS and has also already placed “Mobile Facial Recognition Appliances” in select Hong Kong stores, banks, and hotels to see how facial recognition can help proprietors enhance security and customer service.

Theoretically, NeoFace and other facial recognition technologies could also be used to grant user access to any website. Realistically, this might be technically or financially impossible for many companies, but it would indeed boost security, as a face is much harder to steal than a password.

Fingerprint scanning

Another biometric password bypass long in the works is the not-so futuristic concept of fingerprint scanning. Like facial recognition, fingerprint scans rely on a biological component unique to each individual user. Unlike facial recognition, tests have repeatedly shown that this security measure is somewhat easy to bypass. The video in this article from Ars Technica shows how white hat hackers bypassed the fingerprint lock scanner on a Samsung Galaxy 5, with a forged fingerprint they created by taking a picture of a real print they found on the phone’s glossy surface. The hackers subsequently logged on to the smartphone, accessed a Paypal app, and transferred money from one test account to another, simulating how a real attacker could act. Of course, such a bypass requires physical access of the fingerprints, which means it might actually be a solid solution for website log-ins on servers located halfway across the world.

Chromebook Easy Unlock

Know anyone who has key-less entry for their car, and is somehow able to unlock and start their vehicle without taking anything out of their pocket and at the push of a button?  Rumor has it that this is exactly the type of thing Google has in mind for the future of Chromebook security. Easy Unlock would work just like key-less entry on a car, except, instead of a specialized remote device that emits a radio signal, Chromebooks would be unlocked by the presence of a matching, registered Android device. Google has yet to release any official statements about when this sort of technology will be available, but they have already apparently produced marketing materials and user guides, and this is not the first time the company has dabbled in password alternatives.

Present Day Password Solutions

It may be some time before biometrics and other password replacement technologies reach the mainstream. In the meantime, one of the best ways to add an additional layer of security to your Internet usage is to enable two factor authentication on websites that allow it. Two factor authentication makes it so that you need to take an extra step any time you log on to a website through an unrecognized device, such as a friend’s computer. That extra step is entering a security code that gets texted to your mobile device, in addition to entering your password. Two factor authentication makes it so that if someone steals your password, they cannot log on to your account unless they somehow also steal your home computer. Being that most password theft is instigated by remote attackers, this is a powerful capability and a great feature to add to any account that will allow it – particularly email and banking.

Unfortunately, two factor authentication is not completely immune to malware. Attackers have actually designed some malware to infect mobile devices and intercept real two factor authentication codes sent by real service providers. This is exactly what is currently being done with the iBanking Rogue, and this is exactly why we have taken the effort to create Emsisoft Mobile Security.

Aside from two factor authentication, your best bet for the time being is to utilize strong, un-memorizable passwords and a password management system of your choosing – be it commercialized or manual. In almost all cases, service providers do store your password as a cryptographic hash, but if this hash is associated with a common password and breached it can easily be cracked by a brute force, dictionary attack. This same method can be utilized by malware that directly targets your home computer. This is why we create low impact anti-malware, made with the PC environment in mind.

At the end of the day malware makers are interested in making money, and presently the key to the safe that guards your digital bankroll is the password. In a perfect world, this key would be complemented by retina scanners, laser sensors, and possibly also a rabid Rottweiler armed with a machine gun – but for consumers the technology just hasn’t gotten there yet. Perhaps one day we will all be walking around with implanted chips and bar codes and use biometrics that utilize DNA, but in the meantime the best approach is to combine what is currently available to create a multi-layered, digital fortress. In other words, create living cryptography.

Have a great (password-protected) day!

 

 

 



Zero Day Alert: Unpatched Vulnerability in Internet Explorer 8
2014-05-22 13:37

KMM поделился ссылкой

Zero Day Alert: Unpatched Vulnerability in Internet Explorer 8

blog_ie8zero

Zero Day Alert!

Researchers at HP’s Zero Day Initiative (ZDI) have just disclosed an unpatched vulnerability in Internet Explorer 8. This vulnerability allows attackers to install malware on your computer, should you click on a malicious link or open a malicious email attachment. Such malware can then allow direct access to your files. Because HP has opted for public disclosure prior to Microsoft issuing a patch, this zero day is now known to both IE 8 users and would be attackers alike.

How to ensure protection from this threat

Microsoft has yet to issue a statement or a patch regarding this latest zero day. If you are running Internet Explorer 8, you are therefore vulnerable. Fortunately, this exploit hinges on user interaction; so, to avoid infection simply follow best web practices, and avoid clicking on any mysterious links or opening any unsolicited attachments.

Researchers at HP have recommended that users running IE 8 should also consider downloading Microsoft’s Enhanced Mitigation Experience Toolkit, the generic go-to repair tool for most Microsoft vulnerabilities. Additionally, we at Emsisoft recommend considering migration to a new web browser entirely, as this is the second IE zero day that has occurred in the last month alone. (See CVE-2014-1776, from late April.)

More Zero Day Details

According to HP ZDI’s disclosure timeline, Microsoft has actually known about this vulnerability since October 11th of last year, when researchers initially notified the company of the flaw. HP ZDI’s standard practice is to give vendors 180 days to issue a patch before making public disclosure. Accordingly, HP could have made disclosure as early as April 9th, 2014, but opted instead to give Microsoft more than a month long grace period. To date, the vendor has still not issued a patch.

Public disclosure will inevitably mean that until a patch comes, attackers will be leveraging the IE 8 zero day as a path to malware infection and remote access to infected machines; and, unless Microsoft issues an out-of-band patch, as they did with last month’s IE zero day, that patch will not come until June 10th, next month’s Patch Tuesday.

Perhaps most alarming of all, however, is that IE 8 runs on Windows XP. This means that today’s zero day will remain unpatched on the now-unsupported operating system until the end of time.  In other words: If you are running this combination, your system now contains an open, publicly known, door.

HP ZDI’s public disclosure can be viewed in full here:
http://zerodayinitiative.com/advisories/ZDI-14-140/

 

Have a great (Malware-Free) day!

 

 

 



В избранное